IDS mailing list archives
RE: IDS: Snort detecting distributed syn floods
From: THolman () toplayer com
Date: Mon, 17 Jan 2005 14:38:57 -0500
Um... Woah... lost you there. How does this help? How can you differentiate between spoofed and real SYNs coming into one of your services, if those SYNs are choking your bandwidth (and not your memory)?
True - if SYNs are choking bandwidth, then you cannot differentiate between spoofed and real SYNs, as there is no bandwidth left to send back SYN Cookies or perform SYN Proxying in order to verify that those source addresses are real. The solution is to get more bandwidth so you have the spare network capacity to verify source addresses. This extra bandwidth can either be your own (preferably in burstable form), or belong to a shared anti-DDOS service further upstream. You might say 'Why bother buying more bandwidth in order to defend against SYN floods?', or 'Why can't the ISP deal with this anyway, it's not my problem?', but at the end of the day, if a SYN Flood is causing a business problem (ie loss of earnings due to web site outage), then the only way to effectively deal with this is to invest in more bandwidth (usually in the form of a guaranteed burstable Internet feed), bring the whole of the attack in-house, and attempt to mitigate it, or of course, pay somebody else to do it (ie a service provider offering anti-DDOS services). Regards, Tim -----Original Message----- From: Tim [mailto:tim-security () sentinelchicken org] Sent: 17 January 2005 15:40 To: THolman () toplayer com Cc: focus-ids () securityfocus com Subject: Re: IDS: Snort detecting distributed syn floods
Detecting a SYN Flood is all very well, but what are you going to do once you find out you're under attack ? If all the sources are spoofed (as they usually are), then setting up an upstream firewall rule to block these sources won't help, neither will configuring your IDS to send RST packets (this would just double up
consumed
bandwidth). You would be best off setting a netflow or ACL threshold on your upstream router that alerts you when it starts receiving a lot of packets. If you're finding DDOS attacks are consuming more than 10-20Mb bandwidth, you will usually find smaller devices - routers, firewalls will start falling over (even those with DDOS protection built in).
Yes, it is difficult to defend against.
This is where an IPS comes in.
Um... Woah... lost you there. How does this help? How can you differentiate between spoofed and real SYNs coming into one of your services, if those SYNs are choking your bandwidth (and not your memory)? tim -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS: Snort detecting distributed syn floods THolman (Jan 17)
- Re: IDS: Snort detecting distributed syn floods Tim (Jan 17)
- Re: IDS: Snort detecting distributed syn floods nick black (Jan 19)
- Re: IDS: Snort detecting distributed syn floods James Eaton-Lee (Jan 23)
- Re: IDS: Snort detecting distributed syn floods Mike Frantzen (Jan 24)
- Re: IDS: Snort detecting distributed syn floods James Eaton-Lee (Jan 24)
- Re: IDS: Snort detecting distributed syn floods James Eaton-Lee (Jan 24)
- Re: IDS: Snort detecting distributed syn floods nick black (Jan 19)
- Re: IDS: Snort detecting distributed syn floods Tim (Jan 17)
- <Possible follow-ups>
- RE: IDS: Snort detecting distributed syn floods THolman (Jan 20)